108 lines
3.5 KiB
Bash
Executable File
108 lines
3.5 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
set -e
|
|
|
|
script_dir=$(dirname "$0")
|
|
cd "$script_dir/.."
|
|
prerequisites=$1
|
|
|
|
if [ "$prerequisites" == "--prep" ]; then
|
|
echo "Preparing the packager environment"
|
|
apt update && apt install -y openssh-client
|
|
rustup install 1.83.0
|
|
rustup install stable-x86_64-unknown-linux-gnu
|
|
rustup default stable
|
|
rustup target add x86_64-unknown-linux-musl
|
|
|
|
echo "Building the occlum fork"
|
|
[ -d occlum ] || git clone https://gitea.detee.cloud/general/occlum.git
|
|
(cd occlum && make submodule)
|
|
(cd occlum/tools/toolchains/utils_lib && ./build.sh)
|
|
fi
|
|
|
|
if [ -n "$TEST" ]; then
|
|
echo "Building the hacker-challenge with test feature"
|
|
occlum-cargo build --release --features test
|
|
else
|
|
echo "Building the hacker-challenge"
|
|
occlum-cargo build --release
|
|
fi
|
|
strip target/x86_64-unknown-linux-musl/release/hacker-challenge
|
|
sha256sum target/x86_64-unknown-linux-musl/release/hacker-challenge
|
|
|
|
cat > challenge.yaml <<EOF
|
|
includes:
|
|
- base.yaml
|
|
targets:
|
|
- target: /bin
|
|
copy:
|
|
- files:
|
|
- ../target/x86_64-unknown-linux-musl/release/hacker-challenge
|
|
- target: /lib
|
|
copy:
|
|
- files:
|
|
- /opt/occlum/toolchains/dcap_lib/musl/libocclum_dcap.so.0.1.0
|
|
- /opt/occlum/toolchains/utils_lib/musl/libocclum_utils.so.0.1.0
|
|
EOF
|
|
|
|
rm -rf challenge_instance && mkdir challenge_instance && cd challenge_instance
|
|
occlum init && rm -rf image
|
|
cp ../scripts/Occlum.json ./
|
|
copy_bom -f ../challenge.yaml --root image --include-dir /opt/occlum/etc/template
|
|
# TODO: "--enable-edmm Y" must be only for platforms that support SGX2
|
|
# TODO: make sure the bundle needs SGX2 to run since SGX1 is vulnerable to https://x.com/PratyushRT/status/1828183761055330373
|
|
occlum build --sgx-mode HW --sign-key ../scripts/signing_key.pem
|
|
|
|
echo "Packaging the hacker-challenge signed bundle"
|
|
|
|
cd ..
|
|
git config --global --add safe.directory '*'
|
|
|
|
# If occlum was built in HYPER mode, pkg_files also need
|
|
# ./challenge_instance/build/lib/libocclum-pal_hyper.so*
|
|
pkg_files="\
|
|
./challenge_instance/Occlum.json \
|
|
./challenge_instance/build/bin \
|
|
./challenge_instance/build/lib/libocclum-libos.signed.so \
|
|
./challenge_instance/build/lib/libocclum-pal.so* \
|
|
./challenge_instance/build/initfs ./challenge_instance/build/mount \
|
|
./challenge_instance/build/.Occlum_sys.json.protected \
|
|
./challenge_instance/initfs ./challenge_instance/run \
|
|
./challenge_instance/.__occlum_status ./challenge_instance/.sgx_mode"
|
|
|
|
function get_commit_time() {
|
|
TZ=UTC0 git log -1 \
|
|
--format=tformat:%cd \
|
|
--date=format:%Y-%m-%dT%H:%M:%SZ \
|
|
"$@"
|
|
}
|
|
|
|
# Set each source file timestamp to that of its latest commit
|
|
git ls-files | while read -r file; do
|
|
commit_time=$(get_commit_time "$file") &&
|
|
touch -md $commit_time "$file"
|
|
done
|
|
|
|
# Set timestamp of each directory to the latest timestamp
|
|
# of any descendant
|
|
find $pkg_files -depth -type d -exec sh -c \
|
|
'touch -r "$0/$(ls -At "$0" | head -n 1)" "$0"' \
|
|
{} ';'
|
|
|
|
# Pretend that the modification time for each newer file
|
|
# is that of the most recent commit of any source file
|
|
source_epoch=$(get_commit_time)
|
|
tarflags="
|
|
--sort=name --format=posix
|
|
--pax-option=exthdr.name=%d/PaxHeaders/%f
|
|
--pax-option=delete=atime,delete=ctime
|
|
--clamp-mtime --mtime=$source_epoch
|
|
--numeric-owner --owner=0 --group=0
|
|
--mode=go+u,go-w
|
|
"
|
|
LC_ALL=C tar $tarflags -cvzf challenge_instance/challenge.tar.gz \
|
|
--transform s/challenge_instance/$(basename challenge.tar.gz .tar.gz)/ \
|
|
$pkg_files
|
|
|
|
sha256sum challenge_instance/challenge.tar.gz
|